• vCenter Machine SSL certificate replacement with Custom certificate fails and initiates automatic rollback
• Rollback operation as well fails if the Machine SSL certificate is already expired and some of the services fails to start such as vpxd-svcs.
• Certificate Manager CLI (/usr/lib/vmware-vmca/bin/certificate-manager) shows the errors mentioned below:

Status : 0% Completed [Publishing Root cert...]

Status : 0% Completed [Operation failed, performing automatic rollback]

Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

Performing rollback of Machine SSL Cert... 

• The certificate-manager.log file indicates that the dir-cli command to publish the trusted cert failed and shows errors below:
  
  /var/log/vmware/vmcad/certificate-manager.log 

  YYYY-MM-DDTHH:MM:SS.###Z INFO certificate-manager Publishing third party cert to TRUSTED_ROOTS store
YYYY-MM-DDTHH:MM:SS.###Z INFO certificate-manager Running command : ['/usr/lib/vmware-vmafd/bin/dir-cli', 'trustedcert', 'publish', '--cert", '/tmp/root_chain.pem', '--chain', '-- login', '[email protected]', '--password', '######']

  YYYY-MM-DDTHH:MM:SS.###Z ERROR certificate-manager Error while replacing Machine SSL cert, please see /var/log/vmware/vmcad/certificate-manager. log for more information.
YYYY-MM-DDTHH:MM:SS.###Z ERROR certificate-manager
"detail": [
"id": "install.ciscommon.command.errinvoke",
"translatable": "An error occurred while invoking external command : '%(0)s'",
"args": ["Error while publishing cert using dir-cli."]

• vCenter Server 7.x.
• vCenter Server 8.x.
• vCenter 9.x.

• All Intermediate(s) and the Root CA certificates must be published into the TRUSTED_ROOTS Certificate Store on vCenter. This issue is observed when the CA Certificate chain is not in the proper Base64 format.
• This can be verified by opening the CA chain (For example, /tmp/root_chain.pem in the error mentioned above). It shows additional texts such as "subject", "issuer" etc, the entries highlighted in bold should not be added in the CA chain file entered during the certificate replacement.

subject=C=<Country>, ST=<State>, L=<Locality>, O=<Org>, OU=<OrgUnit>, CN=<CA Common Name>
issuer=DC=com, DC=<>, DC=<>, CN=<RootCN>

-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>       <-----Intermediate 1 Certificate
-----END CERTIFICATE-----

  subject=C=<Country>, ST=<State>, L=<Locality>, O=<Org>, OU=<OrgUnit>, CN=<Intermediate Common Name>
issuer=DC=<>, ST=<State>, L=<Locality>, O=<Org>, OU=<OrgUnit>, CN=<CA Common Name>

-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>       <-----Intermediate 2 Certificate
-----END CERTIFICATE-----

  subject=DC=com, DC=<>, DC=<>, CN=<RootCN>
issuer=DC=com, DC=<>, DC=<>, CN=<RootCN>

-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>       <-----Root Certificate
-----END CERTIFICATE-----

Create the Root CA Chain in below format and proceed with the Certificate Replacement.

-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>       <-----Intermediate 1 Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 <alphanumeric certificate characters>      <-----Intermediate 2 Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 <alphanumeric certificate characters>      <-----Root Certificate
-----END CERTIFICATE-----

• Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate.
• vCert - Scripted vCenter expired certificate replacement